Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature
Filip Skokan <panva.ip@gmail.com> Thu, 03 December 2020 09:21 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54BA3A0D6E for <oauth@ietfa.amsl.com>; Thu, 3 Dec 2020 01:21:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zotKdbU6b2eV for <oauth@ietfa.amsl.com>; Thu, 3 Dec 2020 01:20:58 -0800 (PST)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 217453A0DEA for <oauth@ietf.org>; Thu, 3 Dec 2020 01:20:58 -0800 (PST)
Received: by mail-yb1-xb35.google.com with SMTP id t33so1430389ybd.0 for <oauth@ietf.org>; Thu, 03 Dec 2020 01:20:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=umAgptDz+npAaIZj2oNCyPLf0HzXQwVZ0uGBpe9QdfU=; b=tYJzDKCDc0Z5wgYXQ7rjtMq64zOZB4eFCI/FpoH5ACUpy5puhQ/yNm9CJ6YnmGhNOi HafSQRbOth8HK0O0Y2jpYtVIs2tF7bp7ecadgydXytiloWEOxf/UaxHzzuBxkHctm/e6 5dsKBurGkFCyPxtga7relsvvH7PAM8nnwHqi6Ygmox8J2bZp21Ry9OWBev5Nsn8JQa5O Xug0lL6Us2m44/ghv6D3hF6DL7uxYWvzyZAH6CGdV2OrBM+NOtXU7+bJ/JYsr9b+QNhQ YzoFW3FIokI3rMC3ieKzHdMwi2dBoYzSMKgZ8SEVVQUpkfF/vIbZrMQEx5Osxummr1Ki Bf9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=umAgptDz+npAaIZj2oNCyPLf0HzXQwVZ0uGBpe9QdfU=; b=cu0zPuiZdpd9fqiwiNtyWlw9EMdldzbVp2e244UGBTEdm4rFlD/SN62zLYY2caRQjz 57MBO4F4CNQwluST8eIoNYqgHJJNZSNrL9LE6kc+fPaSFHZR0O2Lf6RjAF5aDZt7ZXsM xcqLDzdOFkCRWQVJ4vSbDgVixypyo3+uePyvQEAaLvGTKPa6rsMwy5JThyl2slRVxaky vS1EAaNMwZvx2V4qSo9nguAd/bitUoII6BnEW+TuBithpcRC3Um+OE1wBjdwLfuPUmkJ xqKYcwClZ7A//I1LOqdpBu9qv66ZvJuP1KoHoSFoToIoFrE9q9HEXweTSCHv5HCpA8IJ kStw==
X-Gm-Message-State: AOAM5320TZt4cy6xZ712Ei+047NpurJtgiCLqOMQPOJ3IxSQKaKIrUuq aGSpzcOujTolW/FYcpL+23lsdtPzbbzCPBzekA==
X-Google-Smtp-Source: ABdhPJxdj7leQRdKFd4TpEdJ0rAQzE5glRvxGHsGnIhRuI9etVIrgOuZlHuG6aNYRlmRImH8uaFhg/Mx27eEjxz6zKU=
X-Received: by 2002:a25:f623:: with SMTP id t35mr3324042ybd.399.1606987256809; Thu, 03 Dec 2020 01:20:56 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCSyMWyLYorWH7KY+XR1syAQUi4tQXdUuevKz4Y6xNMheA@mail.gmail.com>
In-Reply-To: <CA+k3eCSyMWyLYorWH7KY+XR1syAQUi4tQXdUuevKz4Y6xNMheA@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 03 Dec 2020 10:20:20 +0100
Message-ID: <CALAqi_8zWGAG8p5OnrTB=4q_jL00dJi5oYQrWXmzvqKGhfL28w@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="0000000000009a16c205b58be0bf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NA35PmiT3Fqg54YcZmhBXEm0tUw>
Subject: Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 09:21:09 -0000
Hi Brian, everyone, While the attack vector allows direct use, there is the option where a smarter attacker will not abuse the gained artifacts straight away. Think public client browser scenario with the non-extractable private key stored in IndexedDB (the only place to persist them really), they wouldn't use the tokens but instead, exfiltrate them, together with a bunch of pre-generated DPoP proofs. They'll get the refresh token and a bunch of DPoP proofs for both the RS and AS. With those they'll be able to get a fresh AT and use it with pre-generated Proofs after the end-user leaves the site. No available protection (e.g. RT already rotated) will be able to kick in until the end-user opens the page again. OTOH with a hash of the AT in the Proof only direct use remains. If what I describe above is something we don't want to deal with because of direct use already allowing access to protected resources, it's sufficiently okay as is (option #1). However, if this scenario, one allowing prolonged access to protected resources, is not acceptable, it's option #2. Ad #2a vs #2b vs #2c. My pre-emptive answer is #2a, simply because we already have the tools needed to generate and validate these hashes. But further thinking about it, it would feel awkward if this JWS algorithm driven at_hash digest selection wouldn't get stretched to the confirmations, when this are placed in a JWT access token, cool - we can do that, but when these are put in a basic token introspection response it's unfortunately not an option. So, #2b (just use sha-256 just like the confirmations do). Best, *Filip* On Wed, 2 Dec 2020 at 21:50, Brian Campbell <bcampbell= 40pingidentity.com@dmarc.ietf.org> wrote: > There were a few items discussed somewhat during the recent interim > <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/session/oauth> > that I committed to bringing back to the list. The slide below (also > available as slide #17 from the interim presentation > <https://datatracker.ietf.org/meeting/interim-2020-oauth-16/materials/slides-interim-2020-oauth-16-sessa-dpop-01.pdf>) > is the first one of them, which is difficult to summarize but kinda boils > down to how much assurance there is that the DPoP proof was 'freshly' > created and that can dovetail into the question of whether the token is > covered by the signature of the proof. > There are many directions a "resolution" here could go but my sense of the > room during the meeting was that the contending options were: > > 1. It's sufficiently okay as it is > 2. Include a hash of the access token in the DPoP proof (when an > access token is present) > > > Going with #2 would mean the draft would also have to define how the > hashing is done and deal with or at least speak to algorithm agility. > Options (that I can think of) include: > > - 2a) Use the at_hash claim defined in OIDC core > https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken. > Using something that already exists is appealing. But its hash alg > selection routine can be a bit of a pain. And the algorithm agility based > on the signature that it's supposed to provide hasn't worked out as well as > hoped in practice for "new" JWS signatures > https://bitbucket.org/openid/connect/issues/1125/_hash-algorithm-for-eddsa-id-tokens > - 2b) Define a new claim ("ah", "ath", "atd", "ad" or something like > that maybe) and just use SHA-256. Explain why it's good enough for now and > the foreseeable future. Also include some text about introducing a new > claim in the future if/when SHA-256 proves to be insufficient. Note that > this is effectively the same as how the confirmation claim value is > currently defined in this document and in RFC8705. > - 2c) Define a new claim with its own hash algorithm agility scheme > (likely similar to how the Digest header value or Subresource Integrity > string is done). > > > I'm requesting that interested WG participants indicate their preference > for #1 or #2. And among a, b, and c, if the latter. > > I also acknowledge that an ECDH approach could/would ameliorate the issues > in a fundamentally different way. But that would be a distinct protocol. If > there's interest in pursuing the ECDH idea, I'm certainly open to it and > even willing to work on it. But as a separate effort and not at the expense > of derailing DPoP in its general current form. > [image: Slide17.jpeg] > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] DPoP followup I: freshness and coverag… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Filip Skokan
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Filip Skokan
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Jim Manico
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Philippe De Ryck
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Neil Madden
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Jim Manico
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Brian Campbell
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Justin Richer
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP followup I: freshness and cov… Filip Skokan